In democratic countries, governmental officials are chosen by the citizens in an election. Conducting an election and voting for candidates for public office can be performed in several different ways. One such way utilizes mechanical voting machines at predetermined polling places. When potential voters enter the predetermined polling place, voting personnel verify that each voter is properly registered in that voting district and that they have not already voted in that election. Thus, for a voter to cast his vote, he or she must go to the polling place at which he or she is registered, based on the voter's residence.
Another method for conducting an election and voting utilizes paper ballots that are mailed to the voters. Each voter wishing to cast a vote marks the ballot and returns the ballot to the voting authority running the election through the mail. In the usual vote by mail process, the voter marks the ballot to cast his/her vote and then inserts the ballot in a return envelope which is typically pre-addressed to the voter registrar's office in the corresponding county, town or locality in which the voter is registered. The voter also appends his/her signature on the back of the envelope adjacent to a voter identification (see below), such as a voter ID number, that is assigned to the voter. The voter identification may be preprinted on the return envelope in human or machine readable (e.g., barcode) form.
In a typical vote by mail system, the voting authority maintains a voter database that includes at least the name, mailing address, voter identification, and registration signature (in the form of an electronic image) of each registered voter. The envelopes including completed ballots that are returned to the registrar's office undergo two separate processes. The first process is an authentication process in which the signature of the voter provided on the return envelope is verified against his or her registration signature that is stored in the voter database. If the signatures match, the return envelope including the completed ballot is stored for later counting. If the signatures do not match, or if the signature is missing from the return envelope, an investigation is commenced during which the registrar normally contacts the voter. The second process occurs at the closing of the election and consists of the counting of the votes from all of the ballots that have been received in return envelopes that have been authenticated as just described.
Currently, the first (authentication) process just described is performed for each returned envelope as follows: (i) the signature on the envelope is scanned, (ii) the voter identification is obtained from the envelope (for example, if the voter identification is in barcode form, the barcode is read using a barcode reader), (iii) the registration signature image associated with the obtained voter identification is retrieved from the voter database using the voter identification, and (iv) the voter identification, the scanned signature image and the retrieved registration signature image are stored for matching purposes. Then each image pair is passed through a signature matching software application (an example of such software is currently offered by Parascript, LLC of Boulder, Colo.) to identify matched pairs and unmatched pairs. The parameters of the signature matching software application are typically adjusted so that the number of false positives (i.e., pairs identified as matching that should not have been so identified) is minimized. The envelopes corresponding to the matched pairs are sorted into an “open and count” pile, while the unmatched pairs are displayed on a computer screen so that they can be examined by a human operator and separated into the following groups: (i) grossly (obviously) unmatching signatures, for which the corresponding envelopes are diverted to a “fraud investigation” pile, (ii) signatures deemed to match based on human inspection, for which the corresponding envelopes are diverted to the “open and count” pile, and (iii) questionable signatures that look similar, but not enough to be deemed matching at this stage (the signature from the envelope may look like an attempt at imitating the stored signature), for which the corresponding envelopes are diverted to a “forensic” pile for more thorough examination.
A problem with the above systems is that the name and mailing address stored in the voter database are semi-public. This situation alone is typically not a cause for concern. However, when coupled with the individual's signature, that information becomes private and sensitive because in combination it can be used to impersonate the individual. Thus, if the voter database without the signatures is compromised, it presents a mild problem, but if the voter database with the signatures is compromised, it presents a significant problem. It would be desirable, therefore, to be able to protect the signatures of voters that are stored in the voter registration database.